Claims 

What is claimed is: 

1. A method of enabling at least one pervasive device to retrieve at least one 
authentication token from at least one personal authentication gateway, the at least one 

5 pervasive device comprising at least one automatic token client application and the at 
least one personal authentication gateway comprising at least one token server 
application, said method comprising the steps of: 

ascertaining at least one personal authentication gateway from the at least one 
pervasive device; 

10 sending at least one token request from at least one pervasive device to at least 

one personal authentication gateway; and 

receiving a token response at the pervasive device from the at least one personal 
authentication gateway. 

2. The method according to Claim 1, wherein said ascertaining step comprises 

15 broadcasting a pervasive authentication domain discovery request message and receiving 
at least one discovery response message from the at least one personal authentication 
gateway. 
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3. The method according to Claim 1, wherein said ascertaining step comprises 
looking up a personal authentication gateway address in configuration settings. 

4. The method according to Claim 1, wherein the at least one token request 
comprises a pervasive device identification, a message type, and a protection arrangement 

5 for fields of the at least one token request, the protection arrangement being adapted to 
ensure integrity and confidentiality. 

5. The method according to Claim 1, wherein said receiving step comprises 
storing received credentials for use by other applications. 

6. The method according to Claim 1, furthering comprising the step of registering 
10 a pervasive device to be a member of a pervasive authentication domain by registering 

with a personal authentication gateway. 

7. A method of enabling at least one personal authentication gateway to distribute 
at least one authentication token to at least one authorized pervasive device, the at least 
one personal authentication gateway comprising at least one token server and the at least 

15 one pervasive device comprising at least one automatic token client, said method 
comprising the steps of: 

receiving at least one token request from at least one pervasive device on at least 
one personal authentication gateway; 
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determining whether the pervasive device is authorized to receive authentication 
tokens; and 

sending at least one token response to the at least one pervasive device from at 
least one personal authentication gateway. 

8. The method according to Claim 7, wherein said sending step comprises the at 
least one personal authentication gateway responding to a pervasive authentication 
domain discovery message from the at least one pervasive device. 

9. The method according to Claim 8; wherein: 

said at least one personal authentication gateway has a pervasive authentication 
domain; 

sending step comprises sending the at least one token response only if the 
pervasive device identification for the pervasive authentication domain discovery 
message is a member of the pervasive authentication domain of the at least one personal 
authentication gateway. 

10. The method according to Claim 7, wherein said receiving step comprises: 
determining the pervasive device identification of the at least one token request; 
deriving at least one pervasive authentication domain for the at least one pervasive 
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device; and 

retrieving at least one authentication token for the pervasive device. 

11. The method according to Claim 7, wherein the at least one token response sent 
comprises of a pervasive device identification, the message type, authentication tokens, 
and a protection arrangement for fields of the at least one token response, the protection 
arrangement being adapted to ensure integrity and confidentiality. 

12. The method according to Claim 7, furthering comprising the step of 
registering a pervasive device to be a member of a pervasive authentication domain by 
registering with a personal authentication gateway. 

13. The method according to Claim 12, wherein said registering step comprises: 

entering the same random password on the pervasive device and the personal 
authentication gateway; 

generating on the personal authentication gateway an encryption key, 
Slave_DD_Secret, which is encrypted by the random password; 

transferring the protected key to the pervasive device and computing a fingerprint 
of the protected key on the personal authentication gateway; and 

comparing the fingerprint of the received and decrypted protected key on the 
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pervasive device. 

14. The method according to Claim 13, wherein the encryption key, 
Slave_ID_Secret, is used as a protection arrangement for token requests and token 
responses. 

5 15. The method according to Claim 10, wherein said determining step comprises 

validating that the at least one pervasive device has been registered for the at least one 
pervasive authentication domain. 

16. The method according to Claim 10, wherein said determining step comprises 
ascertaining whether the at least one pervasive device is within a given distance of the at 

10 least one personal authentication gateway. 

17. The method according to Claim 10, wherein said determining step comprises 
ascertaining whether the at least one pervasive device has recently made a previous 
request. 

18. The method according to Claim 10, wherein said determining step comprises 
15 ascertaining whether the at least one pervasive device has not sent a message indicating 

. . that the at least one pervasive device is no longer to be trusted. 

19. An apparatus for enabling at least one pervasive device to retrieve at least one 
authentication token from at least one personal authentication gateway, said apparatus 
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comprising: 

a discoverer which finds at least one personal authentication gateway capable of 
responding to token requests; 

a token requestor which sends at least one requests for at least one token required 
5 by the at least one pervasive device; and 

a token responder which accepts at least one token requests and sends at least one 
token response with at least one authentication token to at least one authorized pervasive 
device. 

20. The apparatus according to Claim 19, wherein the at least one token request 
10 comprises a pervasive device identification, the message type, at least one authentication 

token, and a protection arrangement for fields of the at least one token request, the 
protection arrangement being adapted to ensure integrity and confidentiality. 

21. The apparatus according to Claim 20, wherein said protection arrangement 
comprises Triple-DES encryption using a long key. 

15 22. The apparatus according to Claim 21, wherein said long key is a secure hash 

comprised of a master secret known only to the personal authentication gateway, a . . 
pervasive device identification, and a pervasive authentication domain identification. 
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23. The apparatus according to Claim 21, wherein said long key is distributed to 
the at least one pervasive device during registration. 

24. An apparatus comprising means for enabling at least one personal 
authentication gateway to distribute authentication tokens to at least one authorized 

5 pervasive device, said apparatus comprising: 

means for registering at least one pervasive device for membership in a pervasive 
authentication domain; and 

means for receiving a token request from at least one pervasive device; 

means for determining whether the at least one pervasive device is authorized to 
10 receive authentication tokens; and 

means for sending at least one token response to said at least one pervasive device 
from at least one personal authentication gateway. 

25. A program storage device readable by machine, tangibly embodying a 
program of instructions executable by the machine to perform method steps for enabling 

15 at least one pervasive device to retrieve at least one authentication token from at least one 
personal authentication gateway, the at least one pervasive device comprising at least one 
automatic token client application and the at least one personal authentication gateway 
comprising at least one token server application, said method comprising the steps of: 
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ascertaining at least one personal authentication gateway from the at least one 
pervasive device; 

sending at least one. token request from at least one pervasive device to at least 
one personal authentication gateway; and 

5 receiving a token response at the pervasive device from the at least one personal 

authentication gateway. 

26. A program storage device readable by machine, tangibly embodying a 
program of instructions executable by the machine to perform method steps enabling at 
least one personal authentication gateway to distribute authentication tokens to at least 
10 one authorized pervasive device, the at least one personal authentication gateway 

comprising at least one token server and the at least one pervasive device comprising at 
least one automatic token client, said method comprising the steps of: 

receiving at least one token request from at least one pervasive device on at least 
one personal authentication gateway; 

15 determining whether the pervasive device is authorized to receive authentication 

-tokens; and 

sending at least one token response to the at least one pervasive device from at 
least one personal authentication gateway. 



YOR920030518US1 



-35- 



27. An article of manufacture comprising a computer usable medium having 
computer readable program code means embodied therein for causing a computer to 
effect a method of enabling at least one pervasive device to retrieve at least one 
authentication token from at least one personal authentication gateway, the at least one 

5 pervasive device comprising at least one automatic token client application and the at 
least one personal authentication gateway comprising at least one token server 
application, said method comprising the steps of: 

ascertaining at least one personal authentication gateway from the at least one 
pervasive device; 

10 sending at least one token request from at least one pervasive device to at least 

one personal authentication gateway; and 

receiving a token response at the pervasive device from the at least one personal 
authentication gateway. 

28. An article of manufacture comprising a computer usable medium having 
15 computer readable program code means embodied therein for causing a computer to 

effect a method of enabling at least one personal authentication gateway to distribute at 
least one authentication token to at least one authorized pervasive device, the at least one 
personal authentication gateway comprising at least one token server and the at least one 
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pervasive device comprising at least one automatic token client, said method comprising 
the steps of: 

receiving at least one token request from at least one pervasive device on at least 
one personal authentication gateway; 

5 determining whether the pervasive device is authorized to receive authentication 

tokens; and 

sending at least one token response to the at least one pervasive device from at 
least one personal authentication gateway. 

29. A computer program product comprising a computer usable medium having 
10 computer readable program code means embodied therein for causing enablement of at 
least one pervasive device to obtain authentication tokens from at least one personal 
authentication gateway, the computer readable program code means in said computer 
program product comprising computer readable program code means for causing a 
computer to effect an apparatus for enabling at least one pervasive device to retrieve at 
15 least one authentication token from at least one personal authentication gateway, said 
apparatus comprising: 

a discoverer which finds at least one personal authentication gateway capable of 
responding to token requests; 
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a token requestor which sends at least one requests for at least one token required 
by the at least one pervasive device; and 

a token responder which accepts at least one token requests and sends at least one 
token response with at least one authentication token to at least one authorized pervasive 
device. 
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